Package dpkg updated to version 1.17.25-alt1 for branch sisyphus in task 143500.

Published: 2015-04-13
Modified: 2024-11-21

CVE-2015-0840

The dpkg-source command in Debian dpkg before 1.16.16 and 1.17.x before 1.17.25 allows remote attackers to bypass signature verification via a crafted Debian source control file (.dsc).

Severity: MEDIUM (4.3)

References:

FEDORA-2015-6974
FEDORA-2015-6974
openSUSE-SU-2015:1058
openSUSE-SU-2015:1058
DSA-3217
DSA-3217
USN-2566-1
USN-2566-1

Published: 2017-04-26
Modified: 2024-11-21

CVE-2017-8283

dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch program and does not offer a protection mechanism for blank-indented diff hunks, which allows remote attackers to conduct directory traversal attacks via a crafted Debian source package, as demonstrated by use of dpkg-source on NetBSD.

Severity: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

http://www.openwall.com/lists/oss-security/2017/04/20/2
http://www.openwall.com/lists/oss-security/2017/04/20/2
98064
98064

Version: 2.1.0

Package dpkg update in sisyphus on 2015-04-23

ALT-PU-2015-1399-1

Closed vulnerabilities

CVE-2015-0840

CVE-2017-8283